Rinsuki

**Name of the Vulnerable Software and Affected Versions** Misskey versions prior to 12.90.0 **Description** A Server-Side Request Forgery issue exists in the "Upload from URL" and remote attachment handling features of Misskey, potentially leading to the disclosure of non-public information within the internal network. This issue can be mitigated by restricting access to private networks from the host where the application is running. **Recommendations** For versions prior to 12.90.0, update to version 12.90.0 to resolve the issue. If a proxy is in use, additional measures will be necessary. As a temporary workaround, consider restricting access to private networks from the host where the application is running to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Misskey versions prior to 12.51.0 **Description** Misskey is a decentralized microblogging platform. In versions prior to 12.51.0, malicious actors can use the web client built-in dialog to display a malicious string, leading to cross-site scripting (XSS). XSS could compromise the API request token. **Recommendations** For versions prior to 12.51.0, upgrade to version 12.51.0 to resolve the issue. As a temporary workaround, consider restricting access to the web client built-in dialog until the upgrade is applied.

Name of the Vulnerable Software and Affected Versions: xmlhttprequest versions prior to 1.7.0 xmlhttprequest-ssl all versions Description: The issue arises when requests are sent synchronously, with `async=False` on `xhr.open`. If malicious user input flows into `xhr.send`, it could result in arbitrary code being injected and run. Recommendations: For xmlhttprequest versions prior to 1.7.0, update to version 1.7.0 or later. For xmlhttprequest-ssl all versions, consider disabling the `xhr.send` function until a patch is available, and restrict access to the `xhr.open` method with `async=False` to minimize the risk of exploitation.